"We hired a qualified security assessor, or QSA, to conduct an independent review of the PCI-DSS compliance of our systems," Global states in its filing. The processor goes on to say that its effort to remediate its systems and processes is "substantially complete," and it hopes to be returned soon to the payment card network list of PCI-DSS compliant service providers. "Our failure or a delay in returning to the list could have a material adverse effect on our business, financial condition, results of operations and cash flows," Global states.

Global says it has now paid all fines related to non-compliance and has reached resolution with certain card networks, although it did not specify which ones. The processor also says its business has not suffered as a result of the breach.

"The impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial," Global states. "We continue to process transactions worldwide through all of the card networks."

The Breach

Global acknowledged the breach after security blogger Brian Krebs broke news about a hack that affected Global's payments network in late March 2012.

In announcing the breach, Global's CEO Paul Garcia said the breach was "manageable" and that Global was handling the response internally.

Shortly after news of the breach was made public, three separate card-issuing institutions provided BankInfoSecurity with copies of advisories first issued by Visa and MasterCard, confirming the breach occurred sometime between Jan. 21 and Feb. 25, 2012.

But in April 2012, Visa issued an update that warned issuers the breach likely occurred in 2011 and could have affected transactions dating back to June 7, 2011 (see Global Breach: Did It Start in 2011?).

Then, in early May, Visa and MasterCard issued more advisories, suggesting personal information about cardholders may also have been exposed during the Global attack. Initially, Global said only card-verification value codes and card numbers had been breached.

From the outset of the investigation, Global estimated that 1.5 million accounts were exposed by the breach, but news reports suggested the breach could have exposed as many as 7 million accounts.

In June, Global acknowledged it had expanded the number of potentially exposed cards, though it did not say by how many.

In the Jan. 8 filing, Global notes its internal investigation revealed unauthorized access to servers that housed personal information collected from merchants who applied for Global's processing services. But the processor says it could not determine the breadth of that personal data breach.

"We cannot verify those potentially affected, as it is unclear whether any information was exported," the company states. "However, we notified potentially affected individuals and made available credit monitoring and identity protection insurance at no cost."